[Samba] 3.6.0 winbind issues

Michael Wood esiotrot at gmail.com
Tue Aug 16 08:44:54 MDT 2011 

Hi

On 16 August 2011 12:11, Linda Walsh <samba at tlinx.org> wrote:
>
> ` Michael Wood wrote:
>>
>> Hi Linda
>>
>>>
>>> Yeah...reported this a month ago... as well as other TDB/SID backend
>>> probs:
>>> http://lists.samba.org/archive/samba-technical/2011-July/078663.html
>>> http://lists.samba.org/archive/samba-technical/2011-July/078826.html
>>>
>>> ---
>>> I wasn't sure if it was a 3.6 problem or some type of cockpit error, but
>>> both emails
>>> were ignored.
>>
>> If you find something that looks like a bug and nobody responds to
>> your e-mail, perhaps you should report it via Bugzilla so that it
>> won't get lost.
>
> ----
>  I don't feel that's something many developers want -- and I know some
> don't.

Of course it depends on the circumstances.

> If you don't have firm evidence that it's the SW that is broken, they'll
> just close
> out the bug with "Works for Me", and I've wasted my time.

That depends on various things too.

> Too many times --
> even
> with repeatable test cases on too many different projects.    This is
> especially true with
> something like samba where when I asked for any help in tracking down this,
> I was asked to submit a 15-25MB samba log with debug set to 10 to the samba
> list -- NOT to upload
> it to a bug, but dump huge amounts of data to the list.  I didn't feel
> comfortable doing that.  For all I know, unencrypted passwords might be
> buried in that logfile and I'd never catch them -- not to mention the flack
> I'd get for posting something so large to the list.
> "What were you thinking?  Well so and so told me, ...you gonna jump off a
> cliff if he
> tells you to do that...etc..."...

Well, you could ask whether there would be any sensitive information
in the logs.  I doubt the Samba developers would ask you to post
sensitive stuff to the list, but of course it would be safest to ask
first and then scan through them yourself too just in case you notice
something sensitive (or of course in case you see something pointing
to the problem.)

Also, the samba mailing list generally strips attachments, so you
might want to post links to the files instead of attaching them.

Of course you should also try to limit the size of the logs by
clearing them before reproducing the problem, but I'm sure you did
that anyway.

> Even now, I'm not sure why setup is broken.
>
> I can do a UID -> SID translation and SID->UID translation on my userid,
> BUT, when windows tries to lookup my userid in winbind, the log spits out:
>
> [2011/08/15 08:30:02,  6, class=winbind]
> winbindd/winbindd.c:768(new_connection)
>  accepted socket 28
> [2011/08/15 08:30:02,  3, class=winbind]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>  [17439]: request interface version
> [2011/08/15 08:30:02,  3, class=winbind]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>  [17439]: request location of privileged pipe
> [2011/08/15 08:30:02,  6, class=winbind]
> winbindd/winbindd.c:768(new_connection)
>  accepted socket 29
> [2011/08/15 08:30:02,  6, class=winbind]
> winbindd/winbindd.c:816(winbind_client_request_read)
>  closing socket 28, client exited
> [2011/08/15 08:30:02,  3, class=winbind]
> winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
>  getgroups lindaw
> [2011/08/15 08:30:02,  7, class=winbind]
> winbindd/wb_gettoken.c:65(wb_gettoken_send)
>  wb_gettoken: My domain -- rejecting getgroups() for
> S-1-5-21-33333-77777-33333-80026.
> [2011/08/15 08:30:02,  5, class=winbind]
> winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv)
>  Could not convert sid S-1-5-21-33333-77777-33333-80026:
> NT_STATUS_NO_SUCH_USER
> [2011/08/15 08:30:02,  3, class=winbind]
> winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
>  getgroups lindaw
> [2011/08/15 08:30:02,  7, class=winbind]
> winbindd/wb_gettoken.c:65(wb_gettoken_send)
>  wb_gettoken: My domain -- rejecting getgroups() for
> S-1-5-21-33333-77777-33333-80026.
> [2011/08/15 08:30:02,  5, class=winbind]
> winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv)
>  Could not convert sid S-1-5-21-33333-77777-33333-80026:
> NT_STATUS_NO_SUCH_USER
> [2011/08/15 08:30:02,  3, class=winbind]
> winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
>  getgroups law
> [2011/08/15 08:30:02,  7, class=winbind]
> winbindd/wb_gettoken.c:65(wb_gettoken_send)
>  wb_gettoken: My domain -- rejecting getgroups() for
> S-1-5-21-33333-77777-33333-80026.
> [2011/08/15 08:30:02,  5, class=winbind]
> winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv)
>  Could not convert sid S-1-5-21-33333-77777-33333-80026:
> NT_STATUS_NO_SUCH_USER
> [2011/08/15 08:30:02,  3, class=winbind]
> winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
>  getgroups lindaw
> [2011/08/15 08:30:02,  7, class=winbind]
> winbindd/wb_gettoken.c:65(wb_gettoken_send)
>  wb_gettoken: My domain -- rejecting getgroups() for
> S-1-5-21-33333-77777-33333-80026.
> [2011/08/15 08:30:02,  5, class=winbind]
> winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv)
>  Could not convert sid S-1-5-21-33333-77777-33333-80026:
> NT_STATUS_NO_SUCH_USER
> ---------
>
> @ note, it maps the correct (historically -- what windows has seen), SID to
> my username,
> but then "My Domain -- rejecting getgroups, so 'NT_STATUS_NO_SUCH_USER'.

I don't use winbind, so I am not sure I can help with the above :)
But I see the "wb_gettoken: My domain -- rejecting getgroups()[...]"
message is printed in wb_gettoken.c only if "winbind trusted domains
only" is true and domain->primary is true.  I don't know what that's
supposed to mean, though.  Does turning off "winbind trusted domains
only" change anything?  Do you need it?  (It sounds like something one
might want to keep, but just for debugging purposes, does it make a
difference?)

Actually, I've just glanced at the documentation for winbind trusted
domains only and it seems to be deprecated.

> Things were 'worse.
>
> Like root couldnt' use 'net' rpc user because 'root's ID, apparently, was
> broken, so it got
> invalid password .. and a normal user -- even admin, can't do diddly...it's
> not governed
> by filed permissions, as far as I can tell, but literally a hard-coded check
> for 'root' (from
> observation -- and making all the necessary files r/w by 'group root', which
> put my
> login in.  i.e. I had r/w access to all the data files, but it refused to
> allow me to make
> any changes, even though I was in the admin and dom-admin groups.

OK, not sure what you mean exactly.

> Most of the builtin groups were missing....etc...

That definitely doesn't sound like something that should have happened.

> Hand added those back using groupmap -- but I couldn't point firmly to what
> caused
> it -- since part of the problem I knew was the inability to specify separate
> ranges for
> groups and users.  -- I had separate ranges (though I dup UID-> GID groups
> w/same name, -- I wanted to keep the users separate from the groups.
> The ability to do that was removed -- and my separate UID/GID spaces
> collapsed -- that's when I first noticed problems in that I suddenly had a
> different "SID" -- something I
> considered 'bad', as windows doesn't see you the same if you change your
> SID...
>
>
> I mentioned that in one of the notes -- first posted on samba list, and
> later on samba tech
> list -- about how they really needed to consider publishing caveat, and
> warnings about
> 3.6's DB changes and how they could corrupt/destroy user DB's...as that
> *seemed* to be
> what happened to me...but "seemed" and 1$ will get you a cup of coffee --

That's the problem, yes.  An upgrade should definitely not corrupt
your databases.  It would have been good if you could restore the old
ones, try the upgrade again and see if you could reproduce the issue.
Too late now, though, I suppose.

> hard evidence, or they don't have the  time to waste -- they don't want to
> be just helping users with
> 'cockpit' errors, and since I wasn't sure -- was my not knowing about the DB
> change
> the only thing that cause problems?  (I don't think so, but it sure didn't
> help)...

Perhaps if you did one thing at a time and posted about issues you
encountered it would be easier to help than if you upgrade, notice
something broken, hack in the builtin groups, notice something else
wrong, hack other things, etc., etc. and then ask for help.  :) If
that is not what happened, sorry, but that's the impression I got.

> not sure
> why my db got mostly zeroed/corrupted --- it just started re-allocating new
> ID's for any user/computer it saw -- out of its new default range -- which
> was incompat w/my old --
> and, I guess, (?? don't know solidly enough to file the details for a bug
> report , really),
>
> I DO file lots of bugs -- more than the average user...against a wide range
> of products
> (perl, samba, squid, lkml, novell/opensuse, mozilla Tbird * FFox, Songbird
> -- and just
> too many to count.  But I prefer to have a fairly reasonable level of
> confidence before I commit to a bug report -- so when not sure, I ask about
> the problem on list first.

Well of course it makes sense to ask about it first.  My point is that
if it seems like it might be a bug and you get no response, you could
perhaps try asking again in a few days, or file a bug report so it
doesn't go missing.

Of course it depends on the situation and if you can't reproduce it
and it's possible it was user error I understand why you might not
want to do that.

> and...well...nada.
>
> I figured if it wasn't important to them and it really was the problem I

I can't comment on why the Samba developers might not have replied to
your messages.  I can't see why an upgrade causing database corruption
would not interest them, though.

> thought it was, they'd eventually get around to dealing with it.    Too many
> times, I'm one of the first to report a bug / problem sometimes months or
> years before others hit it (I'm a computer
> science grad and I push software in odd ways to try out new things)...
>
> Given the same circumstances, all I feel I can do at that confidence level
> is say something -- that I think there's a problem and need help finding
> out.  If I'm ignored, I assume they are too busy doing other things (like
> getting ready for a major release!)

Yes, perhaps.  Or in some cases helping paying customers, I suppose :)
 Or preparing for conferences, etc.

> Some people perceive me as too pushy, too often, anyway, so I certainly
> don't need to
> push when others aren't wanting to listen, especially when I know that
> either I'll find
> I'm the only one w/ the problem. OR I was just the first.
>
>
> make sense?

Yes, it makes sense.

> Do you really think I shoud have handled it differently?  I

Personally, reading through and replying to a message like this takes
me a lot of time.  As I said I can't speak for the Samba developers,
but perhaps trying to keep your messages shorter will produce better
responses?

> dont' feel that doing so is really desired considering where  my certainty
> levels were....

Yes, as I said it depends on the circumstances.

If this message has annoyed you, I apologise.  If it helps, great,
although I haven't really said much, so I doubt it :)

Regards,
Michael

-- 
Michael Wood <esiotrot at gmail.com>

More information about the samba mailing list